Tag Archives: Hacking at random

Comments Off on Results of a Security Assessment of Common Implementation Strategies of the TCP and IP Protocols
Posted by ChrisJohnRiley on August 15, 2009

Information and slides for the presentation are available on the HAR2009 Wiki.

PDF’s are available that provide details on the Security Assessment of the Internet Protocol and Transmission Control Protocol that were carried out on behalf of the UK CPNI (United Kingdom’s Centre for the Protection of National Infrastructure).

Fernando Gont unfortunately didn’t turnup to do the talk. At the moment we’re unsure why, and wouldn’t like to speculate (things just happen sometimes). Hopefully he’ll get rescheduled for sometime later tonight/tomorrow.

Airprobe is a project for creating an OpenSource GSM protocol decoder.

Using gnuradio Software Defined Radio (SDR)

GSM layer 1 demodulation / decode

GSM TDMA demultiplex

Recombining bursts into mac blocks

Handling of mac blacks to protocol analyzer

…

Why ? because wardrivers must be getting bored with just Wireless LANs. There are other networks out there that are vulnerable (DECT, GSM, etc…). Raising public awareness is very important. It’s ok to look at the specs and say “There might be a problem here”, but testing and proof are needed to effect change.

The chips and parts required to build your own GSM sniffer are not available to the general public (at least at the low quantities required for normal usage). This is where the SDR comes in.

Airprobe decoders supported

gsmsp

gssm

Considered alpha

gsm-tvoid

gsm-receiver

Latest GSM decoder

Much better decoding

gsmdecode

GSM Layer 2+ decoder from hex bytes to human readable

gsmstack

GSM MAC Layer from demodulated bits to MAC blocks

Incomplete (will be integrated with gsm-receiver)

The Project are currently looking for developers with DSP experience –> get in touch through airprobe.org if you can help

Demo: Using the USRP and SDR to eavesdrop on GSM traffic. The demo used pre-recorded data from the USRP to input into gsm-receiver and view the MAC blocks.

MAC blocks are displayed in 23 Byte blocks and use [2b] as a filler if there isn’t enough data to fill a Block.

By taking these MAC blocks and piping them into gsm-decode it’s possible to decode and view the system information paging traffic (clear-text). This capture was taken on a non-frequency hoping network. Frequency hoping however isn’t a security solution as the frequency hoping pattern is sent in clear-text and is publicly known. Frequency hoping is used to avoid interference. the current setup, doesn’t support frequency hoping, but there are a number of solutions being considered.

As the capture from gsm-receiver outputs to PCAP format, it’s possible to open within Wireshark to get a full graphical representation. The patches for wireshark are available in SVN currently.

All the building blocks are in place to enable decoding of GSM encryption. The final step is a working proof of concept to break the encryption. There are a few weaknesses, however no full PoC currently. The tools are here, but they need to be made more user friendly.

Currently no support for GPRS/EDGE, however this should be possible with some work. However GPRS uses different encryption than GSM, so research will need to be made in this area.

This increases the size of the zone, and will therefore increase the required bandwidth.

Current state of deployment

.gov

.org

.museum

.bg

.br

.cz

.pr

.se

.com and .net are planned to be signed by 2011 (this is more the 65% of all domains)

Root is likely to be signed before the end of 2009.

As the root isn’t yet signed, there are currently a number of islands of trust. Once the root is signed, then things will become more workable.

IANA has made an “Interim Trust Anchor Repository” (ITAR) available to http://itar.iana.org to help with the issue of islands of trust. Once the root is signed, then hopefully this will not be needed any longer. Even working with the ITAR list can be troublesome, as it is required to be downloaded (and validated against a hash value) and imported. It is also important to update the information as the keys expire and need to be refreshed.

DNSSEC is hard to do, but even critics agree that it is the only available solution at the moment.

There is a lack off available tools to assist in deployment of signed zones. DNS has always been very forgiving. However DNSSEC makes a small mistake something that could take your zone offline.

Links

Disclaimer

The contents of this personal blog are solely my own opinions and comments, as such they do not reflect the opinions of my employer(s) past, present or future. No legal liability is accepted for anything you do, think, or consider fact as the basis of articles and links posted on this blog.

"Three to one...two...one...probability factor of one to one...we have normality, I repeat we have normality. Anything you still can’t cope with is therefore your own problem."

Note: A large portion of content I post on my blog comes from "live blogging" of security conferences. These posts are in notes form and are written live during a talk. As such errors and emissions are expected. I'm only human after all!